In digital communications networks, packet processing refers to the wide variety of techniques that are applied to a packet of data or information as it moves through the various network elements of a communications network. There are two broad classes of packet processing techniques that align with the standardized network subdivisions of control plane and data plane. The techniques are applied to either control information contained in a packet which is used to transfer the packet safely and efficiently from origin to destination or the data content (frequently called the payload) of the packet, which is used to provide some content-specific transformation or take a content-driven action. Within any network enabled device (e.g. router, switch, firewall, network element or terminal such as a computer or smartphone) it is the packet processing subsystem that manages the traversal of the multi-layered network or protocol stack from the lower, physical and network layers all the way through to the application layer.
Packet processing systems often apply packet filter rules (PFRs) (also known as Internet Protocol (IP) filter rules) to examine incoming packets. The packet filter examines the header of each packet based on a specific set of rules, and on that basis decides to allow the packet to pass through the filter (called an Accept/Pass Action) or prevent the packet from passing through (called a Drop Action). Packet filters have a significant impact on performance, both throughput and latency, since typically multiple PFRs are checked for every received packet on an interface before the packet is forwarded or terminated. Scaling up the number of rules and/or the rule complexity also significantly impacts performance.
One way to implement PFRs is by using a software-based library executing on one or more processor cores of a computing platform. The Berkeley Packet Filter (BPF), invented in 1992 by Steven McCanne and Van Jacobson has become the de-facto standard mechanism for packet filtering in most of UNIX™ and Linux™ operating systems (OS). The BPF was used in the original Tcpdump and LibPCAP implementations to efficiently select which packets are to be taken from a packet stream. The basic idea is that a set of filter rules is compiled into bytecode that is then applied to each inspected packet to decide whether the packet is passed or ignored. The BPF allowed for constructing high level PFRs such as “only pass packets from example.com with the tcp destination port X” and having them compiled to run efficiently.
Recently the Linux™ kernel implementation was extended BPF and moved out of network subsystem code. One change was the addition of “maps” which are basically key-value sets that allow keeping of state information between packet inspection events and passing of state information back to the user.
The BPF implementation has its own virtual machine which runs bytecode generated by a BPF compiler, as well as just-in-time (JIT) compilers from bytecode to native code. Some network device manufacturers (such as Netronome, available at www.netronome.com) have started to offer BPF offload in silicon. With the expected development of fully offloaded BPF/BPF hardware, extensions to the BPF semantics are needed to be able to seamlessly integrate them into Linux™. It would greatly increase the utility of BPF programs if BPF programs could access HW registers and offload engines. Currently there is no consistent way to offer these resources for consumption by the BPF kernel programs.